Arbitrary JavaScript Injection Vulnerability in Icinga Web 2 by Icinga
CVE-2025-27404

6.1MEDIUM

Key Information:

Vendor

Icinga

Status
Icingaweb2
Vendor
CVE Published:
26 March 2025

What is CVE-2025-27404?

A security flaw in Icinga Web 2 allows an attacker to craft a malicious URL that can inject arbitrary JavaScript into the application. When this URL is accessed by any user, the attacker can perform actions on behalf of that user, compromising the integrity of the application. This vulnerability affects users of Icinga Web versions prior to 2.11.5 and 2.12.3, with resolutions provided in subsequent updates. As a temporary defense, users of version 2.12.2 can enable Content Security Policy (CSP) in the application settings to mitigate risks.

Affected Version(s)

icingaweb2 < 2.11.5 < 2.11.5

icingaweb2 >= 2.12.0, < 2.12.3 < 2.12.0, 2.12.3

References

https://github.com/Icinga/icingaweb2/security/advisories/...
x_refsource_CONFIRM
https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5
x_refsource_MISC
https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.